18689 – Reproducible crash when writing a document into itself

RESOLVED DUPLICATE of bug 15123 18689

Reproducible crash when writing a document into itself

https://bugs.webkit.org/show_bug.cgi?id=18689

Summary Reproducible crash when writing a document into itself

Mark Piper

Reported 2008-04-22 18:11:57 PDT

The following script appears to crash any webkit based browser when provided by an HTML file or delivered via a XSS etc. Additional abstract behaviour can be observed by placing a large HTML payload after the body tag. --- begin script --- document.writeln(window.document.body.innerHTML); -- end script -- --- begin html file --- <body> AAAAAAAA <script> document.writeln(window.document.body.innerHTML);</script> </body> --- end html file ---

Attachments
Add attachment proposed patch, testcase, etc.

Mark Rowe (bdash)

Comment 1 2008-04-24 15:11:21 PDT

<rdar://problem/5888128>

Alexey Proskuryakov

Comment 2 2008-04-29 10:04:29 PDT

Reproducible crash -> P1.

chris reiss

Comment 3 2011-01-11 08:58:04 PST

This appears to have the same root cause as https://bugs.webkit.org/show_bug.cgi?id=15123 - there is no recursion check in WebCore::Document::write( ). I'll have a patch for 15123 soon, suggest marking this bug as duplicate.

chris reiss

Comment 4 2011-02-03 08:38:00 PST

This bug is closed by http://trac.webkit.org/changeset/77333

Adam Barth

Comment 5 2011-02-03 09:33:55 PST

*** This bug has been marked as a duplicate of bug 15123 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 15123

Priority P1

Severity Major

Classification Unclassified

Version 312.x

Hardware All

OS OS X 10.5

Product WebKit

Component DOM

Assignee

WebKit Security Group

Reported

2008-04-22 18:11 PDT

Modified

2011-02-03 09:33 PST History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks